Quickly find bots
So, how do we find Bots more quickly? We use BotHunter. BotHunter is a very valuable IDS component because it adds intra-session level correlation (also called dialog-based correlation).
Session-level detection
Traditionally, IDS alerts are generated by reconstructing a single session between two endpoints and finding known patterns that indicate a security violation within that session. This is what all other IDSs do today usually resulting in a very high false positive rate. Relevant important events are often obfuscated by the huge volume of un-interesting security events. BotHunter consumes session-level alerts and goes well beyond to intra-session correlation
Intra-session correlation
Intra-session correlation compares IDS alerts from multiple sessions belonging to a single home machine and combines them to identify typical infection or misuse behavior. By requiring two or more sessions to exhibit abnormal behavior, Intra-session correlation virtually eliminates false positives and brings true positives to the forefront. As for session-level IDS, BotHunter requires updates and new intelligence feeds to adapt to new malicious behaviors. BotHunter feeds are automatically updated weekly from the SRI Malware Threat Center. BotHunter is completely integrated into the MetaFlows security system (MSS). That means that MetaFlows customers have access to BotHunter in a context-rich environment that includes flow analysis, log management, SIEM and much more.
Cost-effective and scalable performance
A single sensor using our ground-breaking multi-core processing capability can inspect up to 500-800 Mbps on a single-processor or up to 5 GBps on a dual-processor off-the-shelf appliance.
As you can see from the graph, running BotHunter on only one core cannot scale beyond a little over 100 Mbps even on a very fast and modern CPU (I7 950). At 250 Mbps on one core BothHunter can only process 60% of the traffic. Using 8 cores greatly improves performance allowing BotHunter to run at speeds exceeding 600 Mpbs on a single processor. Even higher throughput can be achieved using multiple CPUs.
Improved Productivity. Our unique SaaS-based system makes security staff more productive and collaborate more effectively through standard Browsers. The SaaS model also affords a significant amount of maintenance and reporting automation to meet and exceed common security compliance requirements out of the box. You can easily view and correlate high-priority IDS alerts with flows, system logs (including OSSEC feeds), and a wide-spectrum of network security reports .
You can Continue for Free (limited)
